[ISN] Microsoft Sets New Patch Record, Fixes 26 Flaws

From: InfoSec News (alerts@private)
Date: Tue Oct 10 2006 - 22:29:29 PDT


By Gregg Keizer
TechWeb Technology News
October 10, 2006

Microsoft on Tuesday released 10 security updates, one less than 
anticipated, that patched a record 26 vulnerabilities in Windows, 
Office, and .Net. More than half of the flaws were pegged "critical" by 
the Redmond, Wash. developer.

Tuesday's tally was impressive by any count: 6 of the 10 updates were 
judged critical, with the remaining split among Microsoft's other 
rankings: "important" (1), "moderate" (2), and "low" (3). Of the 26 
disclosed vulnerabilities, 15 were labeled critical, 6 important, 2 
moderate, and 3 low. Both the total vulnerabilities and the number of 
critical vulnerabilities set new records for Microsoft in its monthly 
patch process.

"This is very rich lot," said Minoo Hamilton, a senior security 
researcher with patch management vendor nCircle. "There's everything in 
here from Windows Explorer and Internet Explorer to Word and Excel and 

Every one of the half-dozen bulletins marked critical should be paid 
attention, said Hamilton. "They're all remotely exploitable, and in some 
cases across the [OS] board."

Several of the updates fix flaws that hackers are already exploiting, 
including MS06-057, which patches the WebViewFolderIcon bug known -- and 
used -- since the end of September. Others patching already-exploited 
vulnerabilities include the MS06-058 update for Microsoft Office 
PowerPoint and MS06-060, a fix for Microsoft Word.

Office, in fact, accounted for 62 percent of the bugs patched Tuesday 
and 86 percent of those marked critical. Microsoft's suite has been 
under the gun since May, when a vulnerability in Word was fixed, and has 
been the subject of prognosticators for months.

"Attackers have an increasing tendency to exploit vulnerabilities in 
desktop applications rather than network infrastructure," said Oliver 
Friedrichs, director of the company's security response team, in an 
e-mail. "The quantity of Microsoft Office vulnerabilities this month 
illustrates this emerging attacker focus and users should consider the 
installation of these patches to be critical."

The Office vulnerabilities make lucrative targets for attackers, added 
Don Leatham, the director of solutions and strategy at Patchlink. "The 
hacker community is driving more and more toward creating as many 
botnets as possible, and the easiest way to get them is in the end-user 
part of the enterprise. The number of bugs within Office shows that 
concerted effort."

All the Office updates affect not only various versions on Windows, but 
also Mac Office 2004 and Mac Office v. X. Mac users can update from 
within the suite, or by downloading the appropriate patch at Microsoft's 
Mactopia Web site.

But the update that both Leatham and nCircle's Hamilton thought deserved 
first place in the patching order wasn't one of the 4 for Office, but 
instead MS06-061, a fix for the XML parser and XML core services within 
Windows. This critical update, said both researchers, should be patched 

"The XSLT buffer overrun is critical across the board, Windows 2000, XP, 
and Server 2003," said Hamilton. "This one will be great for phishing 
and Web hacking because of the prevalence of XML and the ease of 

Leatham agreed, and then some. "This one is really, really concerning 
us. I'd expect this to be a prime vulnerability that will definitely be 
targeted for exploit. Click on the wrong link and you're infected."

The problem, according to Microsoft's notes on the vulnerability, is 
compounded by a lack of workarounds or factors that might minimize the 
threat. Microsoft had no workarounds to offer up other than to patch, 
and the only way to guarantee safety is to surf only trusted sites.

"All an attacker has to do is build a page, get people there, and if XML 
is running, the buffer's overrun and remote code can be downloaded," 
said Leatham.

Other bulletins issued Tuesday quash bugs in the Server service; the 
next-generation TCP/IP protocol, IPv6; and .Net Framework 2.0. None of 
those updates were marked higher than important, Microsoft's 
second-from-the-top threat ranking.

One update, however, went missing Tuesday. Last week, in its regular 
Thursday-before-patch-day announcement, Microsoft said it would issue 11 
bulletins, 6 of which would affect Windows. Tuesday saw 10 bulletins, 
with only 5 for Windows.

"We found an issue in our testing after the Thursday notification in one 
of the Windows Updates that caused us to remove that update from the 
release channel while we put it through additional testing," a Microsoft 
spokesperson said. "[We] will make it available in the next release 
cycle once it reaches the quality bar."

Microsoft has reason to hesitate, said Hamilton, who noted the firm has 
had to re-release updates recently. The quality of its August batch was 
especially suspect; Microsoft had to reissue three different bulletins 
from that month, including one that was revised twice.

Users can obtain Tuesday's patches via Windows' Automatic Update, from 
the Microsoft Update service, or through other Microsoft software and 
services, including the enterprise-grade Windows Server Update Services 
(WSUS) and Software Update Services (SUS).

Visit the InfoSec News store!

This archive was generated by hypermail 2.1.3 : Tue Oct 10 2006 - 22:41:20 PDT